View Issue Details

IDProjectCategoryView StatusLast Update
0004752OXID eShop (all versions)4.04. Securitypublic2012-11-27 16:59
Reportertjungcl Assigned To 
Status resolvedResolutionfixed 
Product Version4.6.5 revision 49955 
Fixed in Version4.6.6 revision 54646 
Summary0004752: double opt-in link reusable

The case is closed, because after the fix, you send a new confirmation email to the new email adress.

The link from the first double-opt-in email is reusable for any emailadress, though:

the uid=... param is the oxid of the user and independend of the emailadress.

So, you can double-opt-in with your own emailadress.
Then change the email-adress in the account settings, and click the link from the first double-opt-in email again.

if you would use as uid-param a hashcoded string from userid + emailadress, the link would be (re)usable only for this one combination.
TagsNo tags attached.
PHP Versionany
Database Versionany


duplicate of 0004753 resolvedaurimas.gladutis double opt-in can be fooled completly 



2012-11-27 16:59

reporter   ~0008001

Hi, thank you for your collaboration. We have added confirm key in newsletters confirmation. This should stop users from fooling newsletters activation.